Fix unconsumed parameter exception when authenticating with jwtUrlParameter #3975
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ameter Signed-off-by: Craig Perkins <[email protected]>
cwperks
requested review from
cliu123,
DarshitChanpura,
davidlago,
peternied,
RyanL1997,
stephen-crawford,
reta and
willyborankin
as code owners
cwperks
changed the title
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
peternied
reviewed
Jan 23, 2024
src/main/java/org/opensearch/security/filter/SecurityRequest.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Ty @cwperks for this contribution! left a small nit to improve readability. +1 to Peter's comment about keeping the interface void of any potential abstraction leakage.
stephen-crawford
previously approved these changes
Jan 26, 2024
src/integrationTest/java/org/opensearch/security/http/JwtAuthenticationWithUrlParamTests.java
Show resolved
Hide resolved
Signed-off-by: Craig Perkins <[email protected]>
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #3975 +/- ##
==========================================
+ Coverage 65.56% 65.87% +0.31%
==========================================
Files 298 298
Lines 21246 21307 +61
Branches 3457 3469 +12
==========================================
+ Hits 13930 14037 +107
+ Misses 5595 5534 -61
- Partials 1721 1736 +15
|
peternied
reviewed
Jan 31, 2024
src/main/java/org/opensearch/security/filter/OpenSearchRequest.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Looks good to me @cwperks . Not sure why the codecov checks are failing would you please check that.
….java Co-authored-by: Peter Nied <[email protected]> Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
peternied
approved these changes
Feb 21, 2024
DarshitChanpura
approved these changes
Feb 22, 2024
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Feb 22, 2024
…ameter (#3975) Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Peter Nied <[email protected]> Co-authored-by: Peter Nied <[email protected]> Co-authored-by: Peter Nied <[email protected]> (cherry picked from commit ccea744) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
This was referenced Feb 22, 2024
cwperks
added a commit
that referenced
this pull request
Feb 23, 2024
… with jwtUrlParameter (#4065) Backport ccea744 from #3975. --------- Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Peter Nied <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Peter Nied <[email protected]> Co-authored-by: Peter Nied <[email protected]> Co-authored-by: Craig Perkins <[email protected]>
dlin2028
pushed a commit
to dlin2028/security
that referenced
this pull request
May 1, 2024
…ameter (opensearch-project#3975) Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Peter Nied <[email protected]> Co-authored-by: Peter Nied <[email protected]> Co-authored-by: Peter Nied <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Discovered this bug when analyzing #3949. There is a regression in authentication with the
jwtUrlParameterwhere it fails to consume the parameter and responds withillegal_argument_exception: contains unrecognized parameter:The regression was introduced with the HeaderVerifier changes. With the HeaderVerifier, the HTTP Authenticators are authenticating with a lower-level request object, a NettyRequest. After the request is authenticated, it is then handled by the SecurityRestFilter using the higher-level OpenSearchRequest. The SecurityRestFilter is where authentication was previously performed before the HeaderVerifier changes. The JWT Authenticator "consumes" the jwtUrlParameter, but since its operating on the lower-level request object it is not properly consuming the parameter.
This change takes advantage of the channel attributes to carry the CONSUMED_PARAMS from the header verifier to the security rest filter where they are then consumed on the RestRequest object to prevent the illegal_argument_exception.
Bug Fix
Issues Resolved
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.